Информационная безопасность
[RU] switch to English


Ежедневная сводка ошибок в Web-приложениях (PHP, ASP, JSP, CGI, Perl )
Опубликовано:11 марта 2007 г.
Источник:
SecurityVulns ID:7386
Тип:удаленная
Уровень опасности:
5/10
Описание:Инъекции PHP, инъекции SQL, обратный путь в каталогах, межсайтовый скриптинг, утечка информации и т.д.
Затронутые продукты:WWWBOARD : WWWboard 2.0
 OPENSOLUTIONS : Quick.Cart 2.0
 NUKESENTINEL : NukeSentinel 2.5
CVE:CVE-2007-1494 (Cross-site scripting (XSS) vulnerability in NukeSentinel before 2.5.06 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to the "filters for https:// and http://".)
 CVE-2007-1493 (nukesentinel.php in NukeSentinel 2.5.06 and earlier uses a permissive regular expression to validate an IP address, which allows remote attackers to execute arbitrary SQL commands via the Client-IP HTTP header, due to an incomplete patch for CVE-2007-1172.)
 CVE-2007-1422 (SQL injection vulnerability in goster.asp in fystyq Duyuru Scripti allows remote attackers to execute arbitrary SQL commands via the id parameter, a different vector than CVE-2007-0688.)
 CVE-2007-1408 (Multiple vulnerabilities in (1) bank.php, (2) landfill.php, (3) outposts.php, (4) tribes.php, (5) house.php, (6) tribearmor.php, (7) tribeastral.php, (8) tribeware.php, and (9) includes/head.php in Bartek Jasicki Vallheru before 1.3 beta have unknown impact and remote attack vectors, probably related to large integer values containing more than 15 digits. NOTE: the original vendor report is for integer overflows, but this is probably an incorrect usage of the term.)
 CVE-2007-1407 (Unspecified vulnerability in OpenSolution Quick.Cart before 2.1 has unknown impact and attack vectors, related to a "low critical exploit.")
Оригинальный текстdocumentr00t2000_(at)_hush.com, WWWboard password disclosure (11.03.2007)
 documentcrazy_king_(at)_eno7.org, Fıstıq Duyuru Scripti Remote Sql İnjection Exploit (11.03.2007)
Файлы:Fistiq Duyuru Scripti Remote Blind SQL Injection Exploit
 NukeSentinel <= 2.5.06 SQL Injection (mysql >= 4.0.24) Exploit

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород